Posted
by
timothy
on Saturday April 18, 2009 @05:44PM
from the why-assume-otherwise? dept.

An anonymous reader writes "MIT has been monitoring student internet connections for the past decade without telling them. There is no official policy and no student input." The Tech article says, though, that the record keeping is fairly limited in its scope (connection information is collected, but not the data transferred) and duration (three days, for on-campus connections).

I'd be very surprised to find a college or ISP that didn't monitor their network in this fashion. Looks like maybe they are keeping DHCP, transparent proxy, and network statistics. Plus they are doing intrusion detection and looking for malicious activity. The good news is that they are not keeping these records long term, but only for a reasonable amount of time. If they are having a problem or suspicious activity then they probably keep it longer. Face it, your internet activities are NOT anonymous no matter how much you'd like it pretend that it is.

I can see the argument that you could in theory back out the web surfing history of a particular mac address.

These are things any self-respecting network should be doing. The issue here is students not realizing that some monitoring and logging is done. I'm willing to bet that consent to monitoring is referenced in an agreement that the students signed, but that the details of the monitoring are not spelled out.

At my work, users sign agreements on acceptable use and consent to monitoring. I only dig into the logs if there is a problem, the IDS flagged something, or an accusation is made. Sometimes the logs prove innocence, btw.

Part of the problem with this sort of thing is, with no policy, where do reasonable expectations of privacy for using someone's pipe they've offered you access to begin and end? In general, with no privacy policy, there is no expectation of privacy, unfortunately.

you actually want to depend upon the federal government for your security?

you want to depend upon some school, some cable company, some phone company not to snoop on you?

whenever i'm encountered by this strange slashdot groupthink, i really have only one thing to offer: if you put it on a wire, if its outside your control, then the security or privacy of whatever you are doing is nothing you should count on

the outrage seems artifical, contrived, illogical, exasperating

if you want security, if you want privacy DON'T PUT IT ON A WIRE OUTSIDE YOUR CONTROL

beginning and ending of discussion

as if you actually want ot TRUST some other entity to do your security work for you?

Seriously, they keep the records for 3 days for most traffic and 30 days for anomolous traffic which might indicate a threat to the network. Most networks I have seen keep data for far longer just because nobody ever bothers to clean out the logs.

The fact that they have a policy for cleaning the logs puts them streets ahead of the most network admins and yet they are being portrayed as the bad guys here.

In other words you are afraid of people with guns. I once got punched in the face, standing at a bus stop. It was terrifying. And yet I don't go around asking that all fists be taken off the streets.

The world we live in is a dangerous place. I could have just as easily been stabbed, or pushed in front of a train. The sooner you learn to deal with the inherent dangerousness of life, the happier you will be.

Except we have governments actively trying to thwart the notion of privacy with calls like "think of the children" and the "war on terror". We've had data retention laws, illict wiretapping, internet traffic monitoring, etc. Do you honestly think that if someone comes up with a magic solution that the govt won't label it a security threat and somehow ban its use? Or automatically assume it's use involves illegal activities? We already see that with bittorrent.

What? Stop with the stupid card analogies. They don't apply here. Let's come up with a better analogy.

It's like... a service provider. Who provides a service. And that service provider monitors the health and usage of their service. And if you don't use their service, it doesn't affect you; while if you do use it, it does.

What is much more interesting about this article, is not so much what MIT are doing with regard to typical network function monitoring, rather than data recording and individually targeted analysis, it is the way people are reacting. There has been a major shift in the general public view of digital privacy and the wild wild west days of invading the privacy of people, psychologically analysing them and personally targeting them with adds to manipulate their choices, is no longer considered acceptable.

So a real push to regaining the privacy of your digital connections, even minor perceived invasions of privacy are now being publicly exposed, derided and demands are being made to eliminate them. Emails as postcards really distasteful and way over the top, privacy invasive social networking sites only use them to create a publicly acceptable facade not for your private life, search recoding and analysis pretty sick and reaching end of acceptable life, complete network monitoring and interpretive analysis over the long term without full legal oversight via the courts will only create a very very angry populace.

It has been really interesting to watch the various changes in a developing industry, things that were once accepted are now considered unacceptable and, some peripheral lessons learned about necessary legislation to control the excesses of avaricious egomaniacal corporate executives will be taken from the financial sector and forcefully applied to the digital sector, expecting some sort of moral limits from corporations is really naive and demonstrably foolish.

hile it's wrong that they store the data without telling the users, and while users should have better expectations of privacy, you have to look at this in context

No, back up. Why is it wrong? THey own the network. They are responsible for the health and maintenance of that network; and further they are responsible for the things people/do/ on that network to some extent.

I agree with looking at this in context/with perspective, but I don't see how what they're doing is in any way wrong.

Please, enough with your right to live, and your childish fear of guns. Cars kill more people than guns adjusted any way you like. One percent of one percent of deaths are gun related. How is this a credible threat to your "right to live"? The only answer is "It is not", contrary to what movies, television, and govt.'dependency-mongers' would have you believe.

And fascists don't come out of the 'right-wing-small-government-yokel-in-the-woods' fray. It requires a Socialist leader (Hitler, Mussolini) to create a fascist state: You have to tie industry and finance to the government under the guise of rescuing or improving the plight of the working class. Hey, wait a minute!-

a) where the bomb threat came from.b) which building the suicidal student needs to get talked down from.c) who impersonated the professor to cancel an assignment.d) how a lab router ended up sniffing for passwords.

All of these things happened while I was in campus IT, but I never heard about an RIAA/MPAA complaint about something that happened less than two weeks prior, so this really doesn't look like undue outside influence to invade student privacy. It's just responsible network management.

The more guns there are in a society the more intentional homicides, be it Somalia, USA, or Switzerland (three of the countries with the highest rates of gun violence and homicide anywhere in the world).

So, what's your solution then? A gun prohibition [wfu.edu]? I suspect that will work about as well as Alcohol Prohibition or the "War on Drugs", which is to say not at all.

The current arrangement in no way perfect. But there's no way to prove that a divisive campaign to rid the public of its arms wouldn't be worse. And even IF there are less bodies in the end, at some point one needs to consider how the people live rather than how many die. Being servants of the state or victims of the largest, meanest group aren't exactly desirable outcomes. And what about the will of the people? If the majority of voters see a place for firearms in private hands, why should they be denied that in a Democratic country? Because you know better? For their own good? Such is the mindset of an oligarch [wikipedia.org], an authoritarian [wikipedia.org].